These security breaches have become impossible to ignore. Even JPMorgan Chase CEO Jamie Dimon said Tuesday that the threat to cardholder information "is a big deal, it's not going to go away" as the bank announced it is replacing two million payment cards as a result of the Target breach.

Have we reached a tipping point — will the U.S. banking and payments industries finally summon the strength, consensus and cash needed to take the firm steps needed to prevent such breaches in the future?

"This is an issue nobody pays attention to," he says. "I've been harping on it for 10 years, always on deaf ears. I think a couple more breaches would have to happen relatively soon to get anybody's attention. If nothing happens for another six months or a year, they will forget about Target." The entire card payment system is very weak and the PCI standard is "not effective at all," he believes.

Olson himself was an early card-fraud victim when his bank first launched debit cards in the mid-90s. "I had used my card at a sporting goods chain and within three days I realized someone was using my card to make long-distance calls. Right from the get-go, I knew this was going to be a problem," he says.

The first large-scale data breach that caught Olson's attention was the one that hit BJ's Wholesale Club in 2004. This was followed by break-ins at Heartland Payment Systems and TJ Maxx.

"When you have thousands of cards and you have to reissue 1,000 or 2,000 cards for each breach, it's an overwhelming expense in terms of time, dollars and inconvenience to the customer," Olson says. The recent Target breach affected 1,000 ESSA card accounts. The bank reissued all of them, at a cost of more than $20,000.

MasterCard and Visa ought to be doing more to protect the card payment system, Olson believes.

"MasterCard and Visa drive these programs," he points out. "They have various touch points hitting customers who use their cards, banks that issue the cards and merchants who use the cards to process payments. Somebody has to be in control of the process." (Visa and MasterCard did not respond to interview requests for this story.)

Olson also believes retailers ought to take more responsibility for security. "[The card associations] give retailers a free pass and every time something goes wrong they charge the banks," he says. "Unless something happens on the retail side, as long as there are debit cards this is going to be a problem, because the retailers' systems are too easy to hack into."

He's a proponent of EMV, the chip card standard used throughout most of the world. Data stored on the chips embedded in the cards is encrypted. (Chip cards do not address card-not-present fraud, in which card data is entered online and there's no device to read the information on the chip.)

To date, the industry has been reluctant to spend the money to convert or replace all existing point of sale terminals and ATMs to accept chip cards and to replace all magnetic stripe cards with smart cards.

"The inertia is simply the retailers don't care because they know the banks will pay," Olson says.

But Bill Nelson, president and CEO of the Financial Services Information Sharing and Analysis Center (a Washington, D.C. organization that gathers threat information from bank and card processor members, anonymizes it and distributes it back), points out that there's little value in pointing fingers.

"This hit banks pretty hard, because they have to reissue cards," he acknowledges. "There's a lot of concern, but understand that Target is the victim and nobody wants this to happen again. We need to think, is there a way for us to work together? Maybe there are lessons learned from the financial community that we could share with retailers."

Nelson does believe the card industry as a whole has reached a boiling point and that it will improve card security — through the use of chip-and-PIN and better information sharing.

"The sharing of information has prevented a lot of fraud and massive attacks that a lot of people don't know about," he says.

JOIN THE DISCUSSION

SEE MORE IN

RELATED TAGS

Comments (5)

Marc, exactly... Once the transaction is done, why keep that information? The transaction is done. Convenience and security will always be at the opposite ends of this conversation. Even Amazon was to store your credit card of easy transactions. Of course, I use a unique ID & password, as with all my various logins (except where email addresses are required... like this site). I use a password manager with a lot of randomly generated passwords, which is not as easy as storing that same ID/PW combo for everyone that I can memorize. This is what we end up doing with card information that is static. Then, it is saved... why? Convenience. For Amazon, I use Shop Safe to generate a one-time disposable card number with a finite amount on it and an expiration time. That is not so static. If the information were not on the systems at the time of the breach, it would not have been available for theft. EMV is supposed to help solve this, and our Core provider is still a year out getting it implemented... 4 years in the works for the USA. Bit Coin... Not ready for prime time, for sure. Ant you say there were static keys on a digital storage device... Why? That is the way Bit Coin works, and will be a major flaw in how it works. It really does work like currency.

Posted by Jim.Lloyd | Wednesday, January 15 2014 at 7:37PM ET

Oops, meant to put the air quotes around "operators," not "Bitcoin" here. Sorry. The "Bitcoin" operators who were hacked

@Just Saying: The "Bitcoin" operators who were hacked were third party "wallet" services that were holding bitcoins on behalf of customers -- or more accurately, holding the private keys. This is why careful Bitcoin users store their private keys offline, and use online wallets only to hold small amounts.

Bitcoin is far from a perfect system as is, certainly not ready for the average consumer to use for day-to-day commerce, but there's a lot to be learned from it. In the legacy system we all use, we reveal the private keys to our financial accounts to numerous third parties we interact with. Like, uhm, Target.

I guess Ms. Litan is choosing to ignore the numerous Bitcoin operators that have been hacked with accountholders having millions of dollars stolen from their accounts. While the hack is a different than the transaction hack, the criminals will always go after the weak point in a system's defenses. P2PE combined with tokenization is probably the best way to go.
Regardless, the finger pointing needs to stop and the entire payments industry move forward with a solution that is cost effective and reasonable for all stakeholders.

Posted by Just Saying | Wednesday, January 15 2014 at 8:59AM ET

Yes, the "industry" is slow, in my opinion. In November 2013, PCI (PCISecurityStandards.org) issued PCI-DSSv3 & PA-DSSv3, which are intended to address what is likely the issue behind these breaches. That would be insecure software practices, inappropriately maintained operating systems, and lax network/wifi security practices. User awareness and training is also in the mix. It takes a while for these guidelines to take hold and become practice. PCI-DSSv2 came our 3 years prior, and it took almost 2 years to get our ATMs updated to follow it. Vendors were just not able to address it any more quickly.

If the data was not stored on the systems, it would not have been available to be stolen.

Expect banks to pull back on energy lending in the near term, as regulators step up their scrutiny of oil loans and bankers approach the business with a "different attitude," says Mariner Kemper, chairman and chief executive at UMB Financial in Kansas City, Mo.

The post-election rise in stock prices has been a boon for investors, but it is also causing notable changes for financial institutions. Here are a number of ways that the rally can help  and hurt  the banking industry.

It's the time of year to give thanks, and for bankers some things to be grateful for include rising stock prices, a brightening M&A outlook and, most notably, the potential for regulatory relief under President-elect Donald Trump. Here is a list of developments the industry might be celebrating this Thanksgiving holiday.

Bankers are anxiously waiting to see who President-elect Donald Trump will pick as the next Treasury secretary. Several prominent names have been floated for the job, though with every passing day, a new possible choice seems to pop up. Following is a look at the current crop of candidates and their chances.

Mobile phones are only going to become a bigger part of how banks interact with their customers, so several institutions are looking to enhance that experience. They are focusing on better ways of opening accounts, verifying identities, interacting with customers and offering new services and features. Here are some of the improvements announced this year.

This year federal and state regulators have started to pay closer attention to the rapidly evolving online-lending sector  particularly online small-business lending. What follows is a look at eight key players in the debate over how to regulate this emerging industry.